Lillian-Violet/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

The container shit ain't working, oh well

Browse source
This commit is contained in:
Lillian Violet 2024-01-06 16:54:15 +01:00
parent c727773a14
commit e43963c6c3
2 changed files with 109 additions and 94 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

90
nixos/server/package-configs/aria2/configuration.nix
View file

@ -7,99 +7,9 @@
users.groups.aria2 = {};
users.users.aria2.isSystemUser = true;
sops.secrets."wg-private".mode = "0440";
sops.secrets."wg-private".owner = config.users.users.aria2.name;
containers.aria2 = {
forwardPorts = [
{
containerPort = 6969;
hostPort = 6969;
protocol = "udp";
}
];
bindMounts = {
"/var/lib/media" = {
hostPath = "/var/lib/media";
isReadOnly = false;
};
"/var/lib/wg/private-key" = {
hostPath = config.sops.secrets."wg-private".path;
isReadOnly = true;
};
};
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::2";
config = {
config,
pkgs,
...
}: {
system.stateVersion = "unstable";
networking.firewall.allowedTCPPorts = [6969];
networking.firewall.allowedUDPPorts = [6969 51820];
users.users = {
aria2.extraGroups = ["jellyfin" "nextcloud"];
};
services.aria2 = {
enable = true;
downloadDir = "/var/lib/media";
rpcListenPort = 6969;
};
networking.wg-quick.interfaces = {
wg0 = {
postUp = ''
# Mark packets on the wg0 interface
wg set wg0 fwmark 51820
# Forbid anything else which doesn't go through wireguard VPN on
# ipV4 and ipV6
${pkgs.iptables}/bin/iptables -A OUTPUT \
! -d 192.168.0.0/16 \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/ip6tables -A OUTPUT \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/iptables -I OUTPUT -o lo -p tcp \
--dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT
${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.100.10/24 -d 192.168.100.11/24 \
-j ACCEPT
'';
postDown = ''
${pkgs.iptables}/bin/iptables -D OUTPUT \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/ip6tables -D OUTPUT \
! -o wg0 -m mark \
! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
'';
address = ["10.2.0.2/32"];
dns = ["10.2.0.1"];
privateKeyFile = "/var/lib/wg/private-key";
peers = [
{
publicKey = "7A19/lMrfmpFZARivC7FS8DcGxMn5uUq9LcOqFjzlDo=";
allowedIPs = ["0.0.0.0/0"];
endpoint = "185.159.158.182:51820";
persistentKeepalive = 25;
}
];
};
};
};
};
}

105
nixos/server/package-configs/aria2/container.nix Normal file
View file

@ -0,0 +1,105 @@
{
config,
pkgs,
...
}: {
users.users.aria2.group = "aria2";
users.groups.aria2 = {};
users.users.aria2.isSystemUser = true;
sops.secrets."wg-private".mode = "0440";
sops.secrets."wg-private".owner = config.users.users.aria2.name;
containers.aria2 = {
forwardPorts = [
{
containerPort = 6969;
hostPort = 6969;
protocol = "udp";
}
];
bindMounts = {
"/var/lib/media" = {
hostPath = "/var/lib/media";
isReadOnly = false;
};
"/var/lib/wg/private-key" = {
hostPath = config.sops.secrets."wg-private".path;
isReadOnly = true;
};
};
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::2";
config = {
config,
pkgs,
...
}: {
system.stateVersion = "unstable";
networking.firewall.allowedTCPPorts = [6969];
networking.firewall.allowedUDPPorts = [6969 51820];
users.users = {
aria2.extraGroups = ["jellyfin" "nextcloud"];
};
services.aria2 = {
enable = true;
downloadDir = "/var/lib/media";
rpcListenPort = 6969;
};
networking.wg-quick.interfaces = {
wg0 = {
postUp = ''
# Mark packets on the wg0 interface
wg set wg0 fwmark 51820
# Forbid anything else which doesn't go through wireguard VPN on
# ipV4 and ipV6
${pkgs.iptables}/bin/iptables -A OUTPUT \
! -d 192.168.0.0/16 \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/ip6tables -A OUTPUT \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/iptables -I OUTPUT -o lo -p tcp \
--dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT
${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.100.10/24 -d 192.168.100.11/24 \
-j ACCEPT
'';
postDown = ''
${pkgs.iptables}/bin/iptables -D OUTPUT \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/ip6tables -D OUTPUT \
! -o wg0 -m mark \
! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
'';
address = ["10.2.0.2/32"];
dns = ["10.2.0.1"];
privateKeyFile = "/var/lib/wg/private-key";
peers = [
{
publicKey = "7A19/lMrfmpFZARivC7FS8DcGxMn5uUq9LcOqFjzlDo=";
allowedIPs = ["0.0.0.0/0"];
endpoint = "185.159.158.182:51820";
persistentKeepalive = 25;
}
];
};
};
};
};
}